AspLabs icon indicating copy to clipboard operation
AspLabs copied to clipboard

Published 20 hours ago verified publisher icon aspnet

Middleware and TagHelpers for CSP support in ASP.NET (#1)

Open salcho opened this issue 5 years ago • 5 comments

Hello .NET community!

This PR adds Content Security Policy support for ASP.NET as middleware. CSP is a popular security mitigation against XSS and other injection vulnerabilities. CSP comes in many flavours, but we've chosen to add support for the most robust of them: nonce-based, strict-dynamic CSP.

Summary of the changes (Less than 80 chars)

  • Allow configuration of whether CSP enabled in reporting or enforcement modes.
  • Allows configuration of a report URI, for violation reports sent by the browser.
  • CSP middleware generates a nonce-based, strict-dynamic policy.
  • Middleware adds thepolicy to HTTP responses according to the configuration.
  • Custom
  • Provides a default implementation of a CSP violation report collection endpoint.
  • Example app that uses our CSP middleware and corresponding basic unit tests.
  • With these tools, developers can enable CSP in reporting mode, collect reports and identify and refactor existing code that is incompatible with CSP from these reports. Finally, developers will be able to switch CSP to enforcing mode, which will provide a very robust defense against XSS.

Addresses https://github.com/dotnet/aspnetcore/issues/6001

Co-authored with: Aaron Shim - https://github.com/aaronshim ([email protected])

salcho avatar Aug 13 '20 14:08 salcho

CLA assistant check
All CLA requirements met.

dnfgituser avatar Aug 13 '20 14:08 dnfgituser

Note that there is already an existing project: https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders

And this one: https://www.nuget.org/packages/Joonasw.AspNetCore.SecurityHeaders

ctolkien avatar Aug 13 '20 23:08 ctolkien

Hi Chad! The most popular way to add CSP to .NET at the moment is the NWebSec project. You can see the discussion on these alternatives at https://github.com/dotnet/aspnetcore/issues/6001 (tl;dr some of these projects haven't been updated in a while and we all agree it would be add more core security features to .NET).

Sorry I didn't make this explicit in the PR description, but if you take a look at the README file inside the CSP folder you'll see references to our discussions with Barry Dorans (barry.dorrans[at]microsoft.com) and a design document that explains the rationale behind this PR. This CSP implementation was intended to be added as the core .NET framework (see https://github.com/dotnet/aspnetcore/pull/24548).

Unfortunately and if I understand correctly, there are some pressing deadlines for the release of .NET 6 and we've been asked by Barry to transfer this PR here so the .NET team can iterate on it later on.

salcho avatar Aug 14 '20 09:08 salcho

Obviously we're aware of the existing community projects, but this work does beyond just the header itself that the linked packages above have with the reporting endpoint to make debugging easier (oh look, your CSP violations in the console when you hit f5), and the nonce attribute generation.

We welcome collaberation with google to drive browser security from the backend and CSP is a great starting point, as it's a well understood feature. There's been discussion of more middlewares for more browser security features, and of course, given that Google tend to drive these things via Chrome experiments, it seems a rather natural fit.

As for why it's in labs, 5 is branched now for RC. No more features can be added, but we don't want to wait until 6 to have this up and running. Labs will allow us to give feedback, watch it iterate, and then ship a package out of band, and take it in band in 6 if needed (and it is sorely needed).

blowdart avatar Aug 26 '20 13:08 blowdart

What about styles?

Ponant avatar Jun 28 '21 08:06 Ponant